Burp Suite User Forum

Create new post

Session handling with two rules

Tom | Last updated: Oct 22, 2015 09:39PM UTC

Hi, I have a web-app that have two issues when scanning or spidering. Sometimes app closes the session so I got a 302 redirect, other times, app malfunctions and all request ends with error 500 and I must re-auth. I have a valid macro to perform an authentication but I can't configure Burp to handle two session rules. First I try to do two separate rules with two separate action rules but only one is checked, both rules are 'check session is valid'. Second, I try to do two rule actions in the same rule, to search for 302 http header and 500, but no luck. My last attempt was to do a regex like /302|500/g but regexp doesn't work, I can't find information about regexp in Burp so don't know how to do it

PortSwigger Agent | Last updated: Oct 27, 2015 01:12PM UTC

The "check session is valid" action has an option that determines whether to process any further rules or actions for the current request. If you have selected the option to issue the current request to determine session validity, then it isn't possible to continue processing any further actions, since the request has already been issued. It sounds like you have two options: 1. Run a macro to determine session validity, so that you can continue processing further rules. 2. Use a suitable regex that matches all of the error conditions, as you had tried to do. You can look at the documentation for Java regex syntax for help with this.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.